How to Stop a DDoS Attack

How to Stop a DDoS Attack & Prevent Future Attacks

Editorial: This post was last updated October 11th, 2022.

DDoS attacks are a growing threat for websites. But do you know how to stop them in their tracks? We’ll cover some essential fundamentals on stopping a DDoS attack and preventing them from happening in the future.

As a webmaster, keeping your site online during large traffic spikes is what you strive for. We simply want to make sure the traffic spikes are legitimate and harmless. So let’s dive in to the warning signs and help you sort out how to stay online – even during a DDoS attack.


What is a DDoS attack?

We have created a helpful guide that details what DDoS attacks are, the many types of variants, and the motivations behind them.

Here are a few things to understand about DDoS attacks that highlight their impact;

  • It costs at little as $150 for criminals / attackers to buy a week-long DDoS attack on the black market.
  • A small DDoS attack could cost as little as $10 for the attacker.
  • More than 2,000 DDoS attacks occur worldwide every single day.
  • The cost of a DDoS attack for the victim can spike to thousands or millions, plus there are some unmeasurable costs—like time, and bandwidth charges.

You can check out this video which explains a bit more what DDoS attacks are.

Types of DDoS attacks

There are a number of different types of DDoS attacks. These threats prevent legitimate users from accessing your website by sending bogus requests or more traffic to the server than it can handle.

Here are a few of the most common types of DDoS attacks.

Volume-based DDoS attacks

The goal of a volume-based DDoS attack is to overload the website’s bandwidth or cause CPU or IOPS usage issues. If the attacker overloads your resources, the attack has been successful.

Some examples of volume-based DDoS attacks include:

  • UDP floods
  • ICMP floods
  • Ping floods

Protocol-based DDoS attacks

The goal of a protocol-based DDoS attack is to exploit weaknesses in Layer 3 and Layer 4 protocol stacks to consume server or networking hardware resources, resulting in service disruption. If the attacker sends more bandwidth than your network ports can handle or more packets than your server can handle, the attack has been successful.

Some examples of protocol-based DDoS attacks include:

  • Ping of death
  • SYN flood

Application layer DDoS attacks

The goal of an application layer attack is to target CPU, memory, or resources that focus on the web application layer, including hitting the web server, running PHP scripts, or contacting the database to load just a single web page.

Some examples of application layer DDoS attacks include:

  • Attacks targeting the DNS server
  • Layer 7 HTTP flood cache bypass
  • Layer 7 HTTP flood attack

So let’s position yourself against these threats. The cost for being unprepared to mitigate a DDoS attack can affect loss of traffic for an indeterminable amount of time; but also that time can lead to loss of reputation and sales. These can have the greatest impact on your business.

How to check for DDoS attacks

It is important to monitor the website traffic for peaks that can allude to DDoS attacks.

There are DDoS attacks made of huge amounts of traffic. These are called volumetric attacks. Most of the time, they are network-based (layer 3 and layer 4 attacks), but not all DDoS attacks are volumetric. We demonstrated during a free webinar how a live DDoS attack from a single machine targets the website’s search engine to take it down. The traffic can be low as 1 request per second as long as targeting a vulnerable endpoint.

It would be great if your website got millions of new visitors in one hour, but wouldn’t it be suspicious?

A dramatic increase in traffic is a red flag for DDoS attacks. We highly recommend you have monitoring tools in place and always check your logs. Have alerts set up in the event you exceed a threshold specific to the number of requests / visitors targeting your site.

Some other indications to consider:

  • The time of day these visits occur. Would your business see a spike at 2:00am local time?
  • Where these visits come from. Would you expect traffic from Indonesia if you’re a local bakery in Canada?
  • The time of year these visits occur. Ensure that you also adjust for expected legitimate surges. If you sell fireworks, then expect a surge in traffic leading up to New Year’s Eve and account for this within your monitoring tools.

Note: Googlebot makes repeated requests to your website, which can seem like suspicious behavior on the surface. Googlebot and other search engine crawlers are vital to having a website rank correctly in searches. After all, we all want to rank high! We have a post that helps highlight the difference between Googlebot legitimate crawling a website and a DDoS attack.

What to do during a DDoS attack

It seems obvious—block them! However, there are few main checklist items that apply to any company when looking to prevent a DDOS attack, or respond during one. These items include:

  • Systems checklist. Develop a full list of assets you should implement to ensure proper DDoS identification and prevention. Using filtering tools will also ensure that components of hardware/software are properly configured.
  • Form a response plan. Define responsibilities for key team members to ensure an organized reaction to the attack happens; a 24/7 window of response.
  • Define alternate methods or solution. Make sure your team members know exactly whom to contact in case the attack exceeds your capabilities.
  • You should also develop communication workflows with your customer base to ensure they are aware of any potential degradation of performance as a result of the attack.

If you’re interested in knowing more about our solution’s capabilities against DDoS threats, two of our Firewall engineers showcase the effectiveness of our WAF against DDoS threats in a short video we created. We launched an attack on a site that is on a server with limited resources— both behind our Firewall and not.

How to stop a DDoS attack

There are a number of important steps you can take to stop a DDoS attack in its tracks.

1 – Identify the DDoS attack.

Catching a DDoS attack early makes all the difference in reducing impact and downtime for your website. If you are running your own web servers, ensures you have services that can help you monitor when you are coming under DDoS attack.

2 – Maintain sufficient bandwidth and resources.

Your web server should already be set up to accommodate unexpected increases in traffic, especially if you are running advertisements, campaigns, or special offers. These extra resources can also buy you a few extra minutes of time to react to a DDoS attack before your website’s resources are overwhelmed.

3 – Defend your network perimeter.

If you run your own web server, there are a few steps you can take to mitigate the effects of a DDoS attack. For example, you can limit the number of requests your web server accepts over time, add filters to drop packets if you know from specific sources if you are able to identify where the attack is originating, or set lower ICMP, SYN, and UDP flood drop thresholds — but unfortunately, these aren’t particularly effective against especially large, highly sophisticated DDoS attacks.

4 – Leverage a web application firewall (WAF).

A web application firewall (WAF) can help address DDoS and DoS attacks, layer 7 threats, bad bots and even virtually patch against known website vulnerabilities. The WAF is essentially a layer of protection that sits between a website and the traffic it receives. We dive deeper into the topic in this article about what is a WAF.

There are several WAF solutions that will offer automated mitigation of DDoS threats, but one of the best ways to define which WAF works the best for your application is to analyze how effective the protection is—whether it’s within the budget or if your team can properly configure it.

5 – Enable country blocking.

Country-based blocking is typically effective at minimizing risks. It can also help in complying with some organizational policies whose intention is indeed to “block hackers”. Here are a couple of things to note:

  • Regional origin is irrelevant to computers; a website firewall can only see IP addresses. Inferring geography from IP addresses relies on big tables that are never completely up to date.
  • Working around these blocking systems is trivial for attackers. It suffices to use some form of anonymous proxy or proxying from outside of the blocked country list, and this happens “naturally” when using Tor, which is a free and open-source software for enabling anonymous communication.

It’s not to say that country blocking won’t help prevent DDoS threats; but be sure to understand the implication behind blocking out the entire world except your country. It may not be as black and white a solution as others may lead you to believe. Country blocking is a way to enhance an actual protection against DDoS attacks, such as a website firewall.

Nowadays, most botnets are made of thousands of hacked websites, compromised CCTVs, infected computers, and other internet of things devices. The attacks are distributed all over the world. Having said that, country blocking can prevent thousands of mindless bots from spamming the connection logs. Definitely a plus!

Learn more about how to stop a DDoS attack

We’ve put together a comprehensive guide outlining what a DDoS attack is, why they can happen to websites of any size, and how you can prevent them from harming your traffic and server resources. You can also check out this video which demonstrates how a firewall can help protect against attacks.

You May Also Like